When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space.

Before the new Cybersecurity  Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government.  While many Chinese laws and regulations governed the collection, use and storage (including localization) of data, no binding laws or regulations contained generally applicable legal requirements or constraints on the transfer of data across Chinese borders.

Article 37 of the new Law, for the first time, expressly requires that operators of Critical Information Infrastructure (CII) store within China “citizens’ personal information and important data” collected or generated in the course of operations within the country.  If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise regulated by laws and regulations.

Although there currently is a lack of specifics, the government  is likely to devise a data transfer mechanism that relies on CII operators’ commitments or binding contractual obligations to allow companies to transfer personal information of Chinese citizens to other countries.  It is possible that at least some elements of this mechanism will be comparable to the European Union’s (EU’s) Model Contracts and Binding Corporate Rules (BCR) or Asia-Pacific Economic Cooperation’s (APEC’s) Cross Border Privacy Rules (CBPR) system.  For “important data” relating to China’s national security, the assessment will have to be made on a case-by-case basis.

Companies that transfer Chinese citizens’ data into and out of China on a regular basis can consider taking steps to comply with the potential Chinese requirements, even though we still lack official guidance from the agencies.

Covington’s Yan Luo explains in a EuroBiz article the changes proposed by the new Law and discusses potential data transfer compliance strategies that companies may wish to consider to comply with the new Chinese data transfer requirements.  Read the full article here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.